NOTE
-
There are issues encountered for K8s HA clusters when certificates renewal is enabled and applied after
kubeadm reset. If you restored control plane VMs from snapshots or used this command and plan to runepicli apply, make sure thatrenewoption is set tofalse. -
By default, kubeadm sets certificates expiration period to 1 year. If the cluster is upgraded, and different expiration period is required, run
epicli applywith appropriate configuration.
It's possible to regenerate Kubernetes control plane certificates with Epiphany. To do so, additional configuration should be specified.
kind: configuration/kubernetes-master
title: "Kubernetes Master Config"
name: default
provider: <provider>
specification:
advanced:
certificates:
expiration_days: <int>
renew: trueParameters (optional):
- expiration_days - days to expire in, default value is
365 - renew - whether to renew certificates or not, default value is
false
NOTE
Usage of values greater than 24855 for expiration_days is not possible. For more information
see discussion about that.
When epicly apply executes, if renew option is set to true, following certificates will be renewed with expiration
period defined by expiration_days:
- admin.conf
- apiserver
- apiserver-etcd-client
- apiserver-kubelet-client
- controller-manager.conf
- etcd-healthcheck-client
- etcd-peer
- etcd-server
- front-proxy-client
- scheduler.conf
NOTE
kubelet.conf is not renewed because kubelet is configured for automatic certificate renewal. To verify that, navigate
to /var/lib/kubelet/ and check config.yaml file, where rotateCertificates setting is true by default.
This part cannot be done by Epiphany. Refer to official Kubernetes documentation to perform this task.